Approved Foi*Release 2003/1 




000500180002 - 8 '”®^^^^ 


ODP-81-1596 
27 November IS SI 


25X1 


MEMORANDUM FORi ODP/OL Joint Working Group 


FROM : 


SUBJECT? 


Security Officer, CDP 

QDP/Ofe Joint Working Group Minutes 


1. On 22 September 1981, the ODP/GS Joint working Group met 
in Room 2D-03, Headquarters. The following were in attendance. 
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2. ISSG will establish a policy on the destruction of 

magnetic tapes. ODP will degauss the tapes a nd th e Office of 
Logistics will destroy the tapes by burning. | | 

3. SPD discussed the Ludlow Encryption System with NSA but 

concluded there are serious format problems negating any 
advantages to the system. It would require a non-trlvial change 
to the operating system. 5PD would look at other alternatives 
including the enlargement of the p asswo rd directory with a 
tighter control on the directory. | | 

4. In response to an ISSG request, SPD is developing an 

alert system for incorrect log-on or unauthorized use of the 
system. The system will report any exceptions to a security 
console that will be monitored on a 24 hour basis for immediate 
response « An alternat ive i s an electronic mail file that will be 
reviewed by security . | | 

5. The briefing of the D/DP and D/S will be conducted in 

December or January. The major items will includ e the status of 
ACF-2, Audit Trail and Document Logging System. | | 
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6. Some problems developed in the purchase of the Cornell 
Mini-Disk Manager, There are a large number of modules and each 
module involves a license, Although more of a management tool, 
the Cornell does provide some security bene fits . SPD will take 
action to contact OL/PD for a resolution. 


7, A first effort to install the V-linfc will be in the 
Special Center, It can control the vulnerability involved in a 
GOTO. The owner defines who has access to a disk and the 
identity i& in the directory in the GOTO profile. Customer 
Services Staff would have the responsibility to build rules to 
mini-disks. This is a manual operation and requires contacting 
the disk owner for a list of those v;ho have access. The V-link 
is incorporated in th e Corne ll Manager and gives options to those 
who manage the disk. 


8. The subject arose concerning authorization to access and 
dump the date from someone * s disk. The unwritten policy of ODP 
is not to dump a disk unless a written request is received from 
the Director of the Component responsible for the disk. The 
right of the Component Director to dump a disk is similar to his 
right to have a safe opened to review its contents. Additionally 
the Form 4065 * ODP System Access Bequest * advises the requesting 
user th at th e use of these systems will be audited on a periodic 
basis* 


9. ISSG will develop a policy on the responsibility for the 
assignment of passwords. The need for a policy developed when 
the CAMS * Managers asked to control CAMS' passwords. In the 
beginning* the CAMS Manager issued and controlled the 
passwords. ODP assumed the responsibility about four years ago 
and it took a year to clear up the mess they inherited. Although 
the CAMS Manager presented some legitimate arguments for assuming 
password control* the Working Group was in agreement that the 
fewer peo ple in volved with password control the better the 
control, f I 


10, All members agreed that a new directory of passwords 
must be developed, SPD will develop a new file with millions of 
words rather than the current 6*000 words that are reused. Under 
the intended scheme, a password would he issued only once for a 
prescribed period then removed from the system when r eplaced. 
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